Colleagues discussing DSAR process
Article
3 min

Protecting Customer Data: Is Your DSAR Process Compliant?

Posted by Picture of Paul Holland Paul Holland

With data privacy becoming increasingly crucial, organisations are under significant pressure to handle customer data responsibly.

One vital but often overlooked aspect of data protection is the handling and response to Subject Access Requests (SARs).

Data Subject Access Requests (DSARs) allow individuals to access personal information held by organisations.

Handling these requests can be intricate. Organisations must carefully navigate data protection regulations, such as the General Data Protection Regulation (GDPR), to ensure compliance.

Companies face significant challenges in this area. The Information Commissioner’s Office (ICO) reported receiving over 15,000 subject access complaints last year.

In response, the ICO published new guidance for businesses and employers, highlighting widespread misunderstandings and the underestimation of the importance of timely responses.

Why are organisations struggling so much?

The Problem With Fulfilling DSARs

Completing a DSAR often involves multiple tasks that require the expertise or system access of IT teams.

Unfortunately, IT departments are already overwhelmed.

Adding DSARs to their workload diverts attention from critical security operations and risks delays.

Under GDPR, organisations have one month to respond to a DSAR. Failing to meet this deadline can result in fines of up to 4% of global revenue.

41% of privacy experts estimate the average cost of a DSAR to be between £3,000 and £6,000

Beyond compliance risks, the financial burden of managing DSARs is increasing. Surveys by privacy experts indicate that 41% estimate the average cost of a DSAR to be between £3,000 and £6,000.

As costs rise, organisations struggle to keep up - risking fines that further strain their resources.

Moreover, businesses must strictly follow GDPR when processing DSARs, including securing the data they handle and protecting sensitive information.

To address these challenges, businesses should ask:

  • How can we efficiently handle DSAR tasks without overloading our teams?
  • How can we minimise the costs associated with DSARs?
  • How can we securely return DSAR data without breaching data protection laws?

Let’s explore the key ICO guidance to help answer these questions.

Authenticating Incoming Subject Access Requests

One primary concern in the DSAR process is verifying the authenticity of the requester. Confirming the identity of individuals making requests is crucial to prevent unauthorised access to personal data.

“To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that: you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (e.g. when an individual has similar identifying details to another person).”

ICO Guidance

Always ask for enough information to confirm that the requester (or the person they are acting for) is the subject of the data.

Implement robust authentication, such as multi-factor authentication or requesting secondary ID verification.

Sending the Requested Data Back to the Subject

Once identity is verified, the next challenge is securely transmitting the data.

Data protection laws require confidentiality and the prevention of unauthorised disclosure.

Organisations must use secure channels when responding to DSARs.

“The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data. As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.”

ICO Guidance

For SARs made via email - an inherently insecure channel - email encryption is essential.

End-to-end encryption protects data in transit and at rest, helping organisations avoid breaches.

To comply with GDPR and similar regulations, secure channels must be used for sharing personal data in response to DSARs

Reducing Costs and Meeting Deadlines

Organisations are struggling to complete the DSAR process efficiently and cost-effectively within the required one-month window.

They need a solution that empowers teams to manage DSARs without heavy IT involvement - one that is secure, compliant, and cost-effective.

This is where secure email solutions are invaluable.

Mailock, our secure email solution, provides end-to-end encryption and multi-factor authentication, enabling organisations to safely transmit data and verify recipients’ identities before access.

Widely used across regulated industries, Mailock is intuitive, cost-saving, and compliant - helping businesses meet DSAR demands without the burden.

Just email it (securely)! CTA

 

References

It's Important Not to Get Caught Out: New SARs Guidance for Employers Issued, ICO, 2023

Average Cost of a Data Subject Access Request UK, Statista, 2024

What Should We Consider When Responding to a Request?, ICO, 2023

Right of Access, Subject Access Requests, and Other Rights, ICO, 2023

Reviewed by

Sam Kendall, 14.06.24

Sabrina McClune, 18.06.25

 

Originally posted on 28 06 23
Last updated on June 18, 2025

Posted by: Paul Holland

Paul, CEO and Founder of Beyond Encryption, is an expert in digital identity, fintech, cybersecurity, and business. He developed Webline, a leading UK comparison engine, and now drives Mailock, Nigel, and AssureScore to help regulated businesses secure customer data.

Return to listing